A number of Android apps developed by two popular Chinese developers have been found to be involved in an ad fraud scheme. An app analytics firm discovered that eight apps on Google Play Store with more than two billion downloads have been exploiting user permissions to steal “millions of dollars”. Seven of these apps come from Cheetah Mobile, a Chinese internet company, while the other one has been developed by Kika Tech, another Chinese firm. These apps reportedly boast of over 700 million monthly active users.

As per app analytics firm Kochava, which shared its report with Buzzfeed News, the two firms have been misusing app permissions in order to monitor new downloads and then used the data to claim credit for having caused the download. The report explains that the ad fraud scheme exploits the fact that several app developers pay a bounty ranging from 50 cents (roughly Rs. 35) to $3 (roughly Rs. 200) to partners that help them get more installations of their apps. Cheetah and Kika have essentially been using click flooding and click injection techniques to get app-install bounties even without playing any role in app installations.

The apps developed by Cheetah include Clean Master, CM File Manager, CM Launcher 3D, Security Master, Battery Doctor, CM Locker, and Cheetah Keyboard. As per data from AppBrain analytics service, these Android apps are quite popular since they were downloaded more than 20 million times in the last 30 days itself. It is interesting to note that Google had promoted the CM Launcher 3D app as one of Google Play’s “go-to apps”

Meanwhile, the other app named as a part of the ad fraud scheme is the Kika Keyboard. It is reportedly Google Play Store’s most popular keyboard app with over 60 million monthly active users. These apps reportedly ask users to provide a plethora of permissions, including the ability to track keystrokes or other downloaded apps.

Kika Tech CEO Bill Hu, in a statement to BuzzFeed News, said that the ad fraud took place “without the company’s full knowledge.” He added that the company is internally investigating the issue and will “rectify the situation” in case “code has been placed inside our product”. Meanwhile, Cheetah Mobile also issued a statement to BuzzFeed News suggesting that third-party software development kits (SDKs) integrated into its apps were responsible for the click injection. “We request ads via SDK from these ad platforms and display their ads. We have no control over the behaviour of these SDKs,” the company was quoted as saying.

The latest report comes less than a month after an investigation had uncovered that over 125 Android apps were using a system of bots and shell companies to steal ad revenue. The report had resulted in Google removing several apps from its Play store, Also, recently the company pulled 13 apps containing malware that were downloaded half a million times. Coming to the latest issue involving Cheetah Mobile and Kika Tech, Google has told BuzzFeed News that it is still investigating.